Суровая русская реальность

Суровая русская реальность: даже медведи могут дать 3.14здюлей и угнать крутой джип прямо из не густо населеного центра сибири!

На более серьёзной ноте - “Добро пожаловать в дружественную Москву… блять!”

Valera, şaşlîk si vot parlamentar…

Tu decizi! asta doar în cazul în care te mobilezi să ieşi la vot, doar dacă îndemni şi apropiaţii să iasă…

Altfel Valera o să ia viitorul în mâinile sale, şeful o să mănânce şaşlik “din tine", bătrânii o să aibâ doar troleibuze gratis (decorate în steguleţe comso-roşioare)…

Iar tu? iar tu cel mai probabil, dacă “nu o să ieşi la vot"… “o să iai la pumni în bot"… de la şefu’ evident… vreo 4-8 anişori, nu mai mult…

…SAU… mai bine

Nu-i lăsa pe alţii să aleagă:

Read more! »

The below is just hilarious (true true excerpt from a mail informing about benefit reduction). Brainwashing at it’s best. Please note the thin technique of opposing statements.

“As always, the company is interested in the good health of employees and their families and we want to continue acting for this in future.

With this in mind, this year you will see slight reductions in certain benefits compared to the previous insurance period.”

These days I was thinking (yes, sometimes I commit this sin because “тренер запрещает нам думать”, “noi muncim, nu gandim”) why the hell, with all the advances of management and methodologies in software development, the softdev is still have to cope with mess… and I mean mess, the real mess/garbage/left-overs in the source code…

Well, to answer this question, I drew a (somewhat) parallel line with other development industry - building development. In general terms, the parallel can be made even with work of a carpenter to a certain degree.

So, making abstraction of the fact that softdev is more a virtual environment (where programmers can optimize the lift so that it’s acceleration catapults thru the roof or can paint the paper roof to look like tile and so on) a parallel line can be made:

• both need a proper and sustainable approved architecture plan
• both need a nice and modular design
• both need qualitative tools and materials for a superior finished quality
• etc

One of the things however I notices is that:

Read more! »

Below are two interesting research results. What confuses me is this:

• Finland and Denmark are in Top5 suicide nations in Europe
• Finland and Denmark are in the same time in Top2 of happiest nations on earth

So the questions are:

• does this mean they commit suicide in the most happiest ways and moods, hence die as most happiest people?
• or does this mean Finnish and Danish people are very good at deceiving, and while convincing the rest they are the most happy nations, they produce suicide to evade the “unaccomplished” and falsely presented happiness?
• or does this mean that, statistics are as good as their interpretation and that just arranging figures in a way that makes sense doesn’t make sense at all in a broader perspective, i.e. is it plausible that separately taken statistics make pretty good sense, but when put together under scrutiny they tend to clash and contradict each other and that a more systemic analysis is required over the data?
• and on top, given one research measured happiest living people, how would someone measure people of which nation die most happy? (more as a thought exercise)

Other interesting facts:

• Cyprus, even though in EU for quite few years, is placed for unknown reasons (political or geographical ones?!) in Asia region
• Hungary is consistent - leads the suicide group and occupies place 103 in the happiest nations

As a fun note on the statistics, as one physics professor at PUB.ro used to say during our first year:
“Statistics is like this: if you put your head into the freezer at -50′ celsius and your butt into the oven at 124′ celsius, statistically on average you feel just comfortably perfect”

Enjoy the readings:

The World’s Happiest Countries

Prevention of suicide and attempted suicide in Denmark

ălăvăn =))

Painful parkour/freeruning

…in Basarabia …desi sunt multe probleme si lucrurile sunt departe de perfectiunea elvetiana, ci mai aproape de (im)perfectiunea balcano-mioritica, in ultima perioada doua lucruri m-au facut sa zambesc si sa ma bucur (chiar daca pentru perioade scurte si nu neaparat pentru motive fundamental-schimbatoare a ceva, desi niciodata nu stii ) pentru patria mea:

- Internetul in Basarabia este in Top5 Mondial
- “Nunta in Basarabia” trebuie sa fie neaparat un film exceptional pe care abia astept sa-l vad:

PS: din experienta proprie, cand am fost la o nunta la Balti prin 2006, nuntasii (printre care si o pereche de nasi) din Romania erau atat de exasperati de modelul Moldovenesc de a fi si a de a face nunta, incat repetau mereu in busul care-i transporta catre localul petrecerii “Never-ever-ever nu mai calcam in R.Moldova, este incredibil…”

Well, incredibil dar adevarat… si romantic, si comedic, si trist, si imbucurator pentru ca nu-i ca la nimeni altul

Sukhishvili vs Lord of the Dance

Few days back we went to Georgia’s National Dance Ensemble “Sukhishvili” in Limassol. It was an amazing show. Being a wannabe-professional dancer at my fragile ages of 6 till 12, I can tell you that these guys deserver lots of respect.

From my point of view, they are comparable with Lord of the Dance (I liked Lord of the Dance back in 2001 in Bucharest at Sala Palatului when Flatley was still in the show, however the recent one in 2009 in Larnaca could be better).

I can say somewhere Sukhishvili are even better. The complexity of the moves, the high tempo (along 90% of the show) of around 200 BPMs, the tricks with knives and spade-fights at this tempo, the crazy pirouettes on reversed toes - this is just amazing, speechless…

Here are some nice mixes of their work:

More here and here

Wish my Moldova had the same thoughtful management towards the great talents in culture (which they seem to throw to garbage ). Why ensemble “Joc” is not getting proper funding having such talents as can be seen below.

Enjoy ensemble “Joc":

Read more! »

The Pula Fashion

Desi un pic radicali sau directi… imi plac! Imi plac ideile, imi place muzica aleasa, imi place ce si cum filmeaza…

Enjoy!

“Creditul pentru orice… PROST!”

===========================

“(B)Ani de Liceu”

http://gallery.maxim.ro/protest/bani_de_liceu_01.swf

===========================

“Salvati zidurile!”

http://www.thepulafashion.com/revolutie.swf
http://www.thepulafashion.com/index_ziduri.html

EuSecWest 2010 - ‘Hacking printers for fun and profit’

UPDATE 20120110: here is the second part of this research “Hacking MFPs - PostScript:um, you’ve been hacked”

Most probably you have come to the right place if you were looking for:
- “Hacking printers for fun and profit” paper from EuSecWest 2010
- Andrei Constin or Andrei Constantin presentation from EuSecWest 2010

Actually, by a mis-fortunate spelling mistake on the initial publication of the speakers list for EuSecWest 2010, which (given the copy-paste and propagation effect of the blogs and mailing-lists) transformed my correct name Andrei Costin to become Andrei Constin which then by Google’s “wisdom” became Andrei Constantin.

Download here: EuSecWest 2010 “Hacking Printers for fun and profit” Andrei Costin

Download here: Remote-initiated PPE (printer payload exploit) using Java applets.

ESW10 Feedback

Seems some people really liked the talk, paper and the ideas, while others took their most hilarious laughs ever (not sure if it was because of my talk or because of Amsterdam treats =)) ).

Tweetfeeds of the conference can be found here and here.

All in all, the event was very nice. Special thanks to Dragos and all the crew for organizing a great event.

After hearing about hackers on the plane and hackers on the train, we were doing hackers on the boat on Amsterdam’s canals. Also, it was nice to see that a cool crowd from ESW10 DoS-ed the tram literally on their way to the boats .
PS: we almost got owned by the boat captain like a group of kindergarten kids =))… shhhhh and quiet, otherwise get kicked in the ass

And yeah, props to Dragos for the pelican case full of beer and to the guys caring the heavy devil of ice and beer .

Domnul Mihai Ghimpu in Limassol, Cipru

Disclaimer: Nu fac nici un fel de PR pentru domnul Ghimpu sau partidul al carui membru este. Este o parere personala, mai mult o impartasire de impresii.

Vineri, 12 iunie 2010, in incinta Atlantic Bay Hotel, domnul Mihai Ghimpu, presedintele parlamentului al RM si totodata presedintele interimar al RM, ne-a onorat cu prezenta la intalnirea cu o parte din cetatenii RM stabiliti in Cipru.

Desi sunt departe de politica si in general sceptic fata de astfel de intalniri, am ramas foarte placut impresionat de atitudinea dumnealui atat in stadiul pregatirii acestei intalniri cat si in decursul acesteia.

Un discurs bine gandit, coerent si fara tenta electorala din punctul meu de vedere (sau cel putin fara indemnari grosolane sau evidente). Desi se afla in doua posturi importante ale statului, a lasat suficient loc pentru o atmosfera relaxata de dialog. O persoana simpla si deschisa - imagine care s-a suprapus perfect peste cea pe care am vazut-o si-n mass-media.

Ce m-a impresionat foarte mult a fost rabdarea si calmul cu care ne-a ascultat toate intrebarile, problemele si propunerile (desi o parte din ele fie erau mai mult cazuri-particulare ale unor probleme generale, fie nu tineau nici pe departe de atributiile sale). La fel, m-a surprins atitudinea si rabdarea dumnealui fata de cei trei copilasi simpatici (si evident galagiosi - cine priveste video complet va intelege) prezenti si ei la intalnire .

All in all, dau o nota pozitiva intalnirii (invingand tot scepticizmul mei caracteristic pentru domeniul politicii) - o supriza placuta cu alte cuvinte.

PS: multumiri lui Vadim B. pentru captura, editare si prelucrare video, cat si echipei Consulatului Onorific al RM in Cipru pentru promptitudinea si profesionalismul acordat in pregatirea acestei intalniri (si anume sala de conferinte oferita la Atlantic Bay Hotel in timpul minim in care au fost anuntati)

Linkuri:
http://andreicostin.com/parlament
http://topofthetubes.com/video/VIDEO_D4ysBY_JoPmLT/mihai-ghimpu-cipru-intalnirea-cu-moldoveni-20100611-original
http://www.mefeedia.com/video/31531579
http://moldpres.md/News.aspx?NewsCod=5260
http://www.moldova.ms/?l=ro&a=7&i=2873

Liquid Mountaineering

via Lena

___________________________

Alimentara comunistă: mic ghid turistic (2)

___________________________

Meet Will Urbina

One of his interesting techno-design works:

EUSecWest 2010 is near

I invite you to take a look at EUSecWest 2010 agenda and register. Perhaps we could meet there, who knows…

Fata Morgana in Limassol

I have read many times about Fata Morgana effects and the beautiful image illusions it creates.

However, on Friday 7 May 2010 around 12:00-13:00 in Limassol, I was pretty lucky to observe this amazing effect.

There was only 1 sea-cargo, near horizon which was optically affected. At the horizon level, there was a band of a slight darker colour compared to sea or sky. That cargo-ship was optically lifted un-inverted on top of the band. As the effect was fading away, there was a mirror-like image of the cargo-ship on the same level, departing from the ship itself towards left-side…

Few minutes later after observing the effect, when taking our lunch out to the company-terrace, fata morgana was already gone … It is as true as it’s said “Here She is, and here She’s not…”

Other two interesting related blog posts.

I suppose, in general terms experiencing Fata Morgana is as nice as experiencing Tramontane

“Programmers should be able to program!” program

Well, sad and true in the same time… It is an entertaining reading and one full of insights…

Maybe it’s just one of those reasons why software is getting more crappy, unreliable, insecure, etc.

The non-programming programmers

Read more! »

UPDATE: A more recent post with Google Calendar support

Comprehensive list of security and hackers conferences 2010

Recently, there is a high span of various security and hackers conferences and conventions going on.

Keeping track of them is not as easy as it seems, since there is no central point where to look up their schedules, locations, call for papers, etc.

So I decided to compile a list for my own (well it doesn’t cover 100% of security related conferences out there, but it tries to cover most of the publicly known/accessible ones).

Read more! »

I want to present few nice sites which might be interesting for you. At least I enjoyed finding them out and getting information about them.

Welcome to the world of Scambaiting - 419eater.com

From wiki: “419eater.com is a scam baiting website which focuses on advance-fee fraud. The name 419 comes from “419 fraud", another name for advance fee fraud, and itself derived from the relevant section of the Nigerian criminal code. The website founder, Michael Berry, goes by the alias Shiver Metimbers. The 419 Eater forum has over 24,000 registered accounts.”

The people on this forum are taking it as a real-life role-playing-game. They have something like medals on how many fake-banks they “crashed", flags of countries where they “smashed” a scammer, etc.

If you like this kind of long and ad-hoc scenario games, this is the place to try. If not, even just simply browsing the forum is a fun . BTW, on this site you can find almost any phrase which you would find in the emails from the Spam/Junk folder.

Related to this type of activity is the Project Honeypot. More on computer-related honeypots.

Like surfing? What about Couch-Surfing?

From wiki: “The CouchSurfing Project is the largest hospitality exchange network, with over 1.75 million members in 237 countries and territories.[1] According to Alexa it is currently the most visited hospitality service on the Internet, averaging around 40 million daily page views July-December 2009″

Interested? CouchSurfing FAQ will get you started - prepare your backpacks!

PS: though CouchSurfing might be fun, free and exciting, NEVER forget the common-sense for personal privacy and security, just to avoid so called (and over-hyped) CouchSurfing horror stories

(thanks to Veronica to throw some like on existence of such project)

Random thoughts on current events:

• Kyrgystan riots 7 April 2010:
• Exactly same scenario in Moldova (also ex-USSR country) and exactly 1 year ago 7 April 2009:

• As a side note, a good “reading” collection of videos called “Riots Around the World: Other Europe”
• Polish high position delegation dies in plane crash. This is the light of Obama+love+Medvedev to sign landmark nuclear arms pact and given that initially Poland under Lech Kaczynski signed a deal with US to place a defence-base under Russia’s face. Is this like “removing unnecessary and too-much-knowing-and-ambitious witness"?

Yes, may be just coincidences…

As in “Hercule Poirot´s Christmas", I’d say “I can accept one coincidence", but then…

Quotes of the days:

“I hate ’smart’ under-tested automated software written by stupid over-self-estimated wannabes”

“At present there are broadly two large categories of goods on our markets: those made in one Asian 1-billion-nation country which have N-to-1 ratio of incorporated features (80-ni-hao-in-1 card readers, 999-in-1 tetris games, etc.) AND those made/designed in another Asian 1-billion-nation country which are simply plug-n-play and EVERYTHING works out-of-the-box-sir“

___________________________________

Nice Pepsi ads:

Read more! »

Sweet Moldavian shot

Well, I have tried in the past Irish Flag and other layered shots like B52, etc.

However, I wanted something more to my MoldoRomanian soul-and-heart.

Few weeks this bothered my mind in the background… And finally yesterday, during drinks color-solubility-density-taste experiments with Igor, we have found the layering formula of some selected drinks. If you played with cocktails and shots on your own, you might have noticed that drinks’ color, density, solubility and taste-class restrictions are quite hard for a layered drink, especially when you have a strict pattern of color.

Today, I have tried to produce the first public version and it went pretty well I can say - the taste and the look are lovely!

Sweet Moldavian shot

Enjoy (responsibly)!

Sweet Moldavian recipe:

Read more! »

(romanian)
Daniel Raduta este un prieten si un coleg de grupa de la facultate. E o persoana deosebita, si am ramas fara cuvinte cand am alfat despre diagnosticul lui.

Daca crezi ca poti/vrei sa donezi - te rog doneaza cat poti, chiar si cea mai mica suma. Daca stii pe cineva care poate/vrea sa doneze - te rog da anuntul umanitar mai departe. Daca ai un facebook si vrei sa il sustii - te rog sa te alaturi si tu!

Read more! »

Prolog

Wireless Power is not something new. It’s an old idea, an old dream, an old demo. However, it now revived with new forces in form of new technology products.

Mainly, there are two camps trying to use magnetic induction to charge things:

• one offering a charging pad
• other trying for over-the-air power

However, the post is not about going over this technology itself - if you want to explore, check the links provided at the end.

To the point

The point of this post is to discuss the security perspective of wireless power transfer, especially for over-the-air type. Several couple of years proved consistently that wireless technologies (WiFi, RFID, remote controls, GSM, etc.) are very prone to security vulnerabilities (sadly, most often by design, rather by implementation).

The types of attack one can envision are:

• wireless power theft

  Read more! »

TV-B-Gone experiments - Part 1

Prolog

For those who don’t know, TV-B-Gone is a device that makes TVs… well, to be gone… (As in Boris-The-Bullet-Dodger). It was invented by Mitch - Altman, and is sold as a ready (but limited in flexibility) unit, as well as a soldering/programming kit from Limor aka LadyAda.

I bought my TV-B-Gone kit version 1.1 from LadyAda some time back, but only recently with help from VadimBo, we got it soldered and (re)programmed.

Just to give you an idea what can be done (but not actually advised though ) - check “Confessions: The Meanest Thing Gizmodo Did at CES”

To the point

The downsides of the version 1.1 are:

• there are mainly NA codes only supported in firmware 1.1 and 1.1b
• there are only around 40+ codes supported in firmware 1.1 and 1.1b

So, I backported from tvbgone firmware 1.2 (Caitsith corrected WORLDcodes.c #ifdef version) into firmware 1.1b the following:

• removed NAcodes, which are UNcompressed version of limited codes table
• added WORLDcodes, which are compressed/optimized version of extended codes table
• modified main() to use compressed codes table routines
• modified Makefile to use EU/NA/both tables

Downloads

Read more! »

Well, Samy is my hero is cool… but Pasha is my hero is hotter now

Yes you can Pasha (aka Pavel Turcu, aka Pavel Turkish )!

“Top views Moldova Eurovision 2010 on YouTube”

“Pavel Turcu - Hitler scene remix”

Read more! »

-Da cum te numesti ?
-Ei cum ma numesc, Vanya
-Pai Vanya si mai cum ?
-Cum si mai cum ? Ap’ Vanya

-Da cel care ti-a dat tigarile e roman sau din Republica Moldova?
-Ti-am spus ca-i moldovan !

UPDATE 20101012

By a very nice coincidence I have bumped into this interesting paper (dating around 15 Jul 2008) - “BREAKING THE BANK - VULNERABILITIES IN NUMERIC PROCESSING WITHIN FINANCIAL APPLICATIONS” - ENJOY the reading!

Given I currently work in a telecom billing software company - I just cannot find enough words and meanings to confirm with sorrow that pretty-fucking-many of my fellow programmers do not give a shi…ny glass for avoiding this kind of problems. Worst, they don’t even realize it :-S…

PS: …and YES, Bank Of Cyprus (along with its new migrated Java/JSF-based banking application - a special post on this to follow) allows/uses:

• input like “1E+3″ which gets translated into “1000″
• “round-to-nearest, ties away from zero” for 3rd decimal, i.e. “0,004″ gets translated to “0,00″ and “0,007″ gets translated to “0,01″

Happy hacking…

Money

When it comes to speaking about money, a lot of people get interested. And nowadays most money discussion evolve around or near-by the EUR-USD exchange rates.

Some people (including me sometime ) are unhappy to depend and always lose their honestly earned savings because of some avid and greedy circles of interest are playing with exchange rates and make them uncontrollable…

Read more! »

Costica, dormi?

RUPEEEEEEEEE!

Everything is OK - Motivational, thoughtful, courageous…

The Love Police - The Revolution is NOW

Mr Freeman - (De)Motivational, rhetorical, thoughtful…

UPDATE: 20100110

С новым годом?

“Плодитесь, коровы, жизнь коротка” (&#1089 ГГМ

Pages: 1 2 3

Balet, box si lupte greco-romane… pe gheata

“Astazi” (batalie pe gheata campionatul Kontinental Hockey League 2010 in Chekhov):

“Ieri": (batalie pe gheata Campionatul Mondial 1987 in Cehoslovacia)

Hockey-ul nu s-a schimbat mult la capitolul “dorinta si sete de lupta pana la sange” =))

Cei mai fierbinti hockeyisti par a fi rusii si canadienii

Using Google Translate German-to-English

Even a single marking point on a character makes huge difference.

However, this one, for me as a Moldovan/Romanian, is like winning the lottery - what were the chances I would misspell that character in that phrase?

Bei verpasstem Anschlusszug bitte ausfullen - In Moldovian Missed connecting train please

Bei verpasstem Anschlusszug bitte ausfüllen - When connecting train, please fill Missed

Learning GSM: USSD fuzzing and attacking the network

Prerequisites of attacks

Some points why USSD is a good choice:
- USSD and USSD replies are free compared to SMS (except special, VAS, etc. numbers)

- USSD and USSD replies interact with 3rd party USSD Gateways software which most probably can be attacked more easy compared to SMSC

- USSD Gateways (if not crashed by a border-case/not-tested/unusual/malformed USSD message or USSD reply), forward the messages to Applications. Most probably “Third party content and application providers” suffer from buffer overflow, script injection, SQL injection, etc.

According to http://www.truteq.com/tips/ussd/:
“The menus are served by applications. This may not be at the GSM network operator, but at a content provider connected to the USSD infrastructure. Applications or content can therefore be served from :
1. Standard supplementary services
2. GSM Network Operators value-added services
3. Third party content and application providers
“

- USSD sessions implementation mechanisms can be exploited in USSD Gateways (grow huge sessions, open huge number of sessions, etc.)

Means to practically implement attacks

Fuzzing requires a lot of messages/replies back and forth through TELCO’s equipment. Many may say that such activity may not go unnoticed, and this is true.

Read more! »

Learning GSM: Mobile/Cell Phone Power-Off vs Mobile Not-reachable/Battery-discharged

Power-Off vs Not-reachable/battery-discharged

It was interesting for me to find out and read an old paper called “Forensics and the GSM mobile telephone system” (original article file 03_spring_art1.pdf).

The point I want to discuss here is also somehow related to trust or mis-trust whether a given called subscriber really went out of GSM network reach/had the battery discharged during idle OR the subscriber actually shut-off his phone and pretends he is out of network reach/battery discharched.

This trust/mis-trust often comes as a facade dialogue template:
John: “I tried to called you regarding XYZ”
Bob: “Umm, I am really sorry - I really wanted to talk to you, but I lost network/I had phone battery discharged” (when actually Bob did switch off his phone on purpose not to be reachable specifically by John and/or other calling parties)

Now there is really a way, without having any technical device or very specific knowledge to find out whether a subscriber has shut down his phone or went out of network-reach or had his battery discharched.

Read more! »

26C3 - “Look ma’ , I am on TV”

26C3 is over… It was a fun experience however !

Some key points:

Lightning talks

Together with Pavol Luptak (from Nethemba team in Slovakia), had a lightning talk about the MFCUK

Online video / Downloadable video (our talk starts around 00:09:50)

Slides 26C3 Lightning Talk Day2 MFCUK Mifare Classic Toolkit

Open digital radio

Also, I have attended a very nice and neat workshop put up by Mathias Coinchon from OpenDigitalRadio.org

The workshop link is here.

Mathias also have kindly provided the GNU Radio Companion files used in “26C3 Radio Broadcasting Workshop”.

DYI Book scanner

Ever wondered how the thousand pages books are scanned and put online? I was wondering that too.

A nice lecture and slides are here:

How to build your own Book Scanner [in 4 min]